Skip to content

fix(security): remediate all open Trivy/CodeQL security findings #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
codywilliamson merged 3 commits into from
Apr 21, 2026
Merged

fix(security): remediate all open Trivy/CodeQL security findings #61

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c05b5dd
Initial plan
Copilot Apr 16, 2026
afc7381
fix(security): remediate all open Trivy/CodeQL security findings
Copilot Apr 16, 2026
4a9040e
chore: merge main into copilot/fix-security-issues — regenerate lockf…
codywilliamson Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# .trivyignore — Accepted / deferred Trivy findings
#
# Each entry suppresses a specific CVE/GHSA across all scans.
# All entries must include a rationale and a review date.

# GHSA-67mh-4wv8-2f99 — esbuild <=0.24.2 dev-server binds 0.0.0.0
# Root cause: drizzle-kit@0.31.10 (latest) → @esbuild-kit/esm-loader@2.6.5
# → @esbuild-kit/core-utils@3.3.2 → esbuild@0.18.20.
# drizzle-kit has no upstream release that drops @esbuild-kit.
# Forcibly overriding esbuild to >=0.25 breaks @esbuild-kit/core-utils
# because the package uses internal esbuild APIs that changed between
# 0.18 and 0.25.
# Risk: Dev-only; esbuild's dev server is never run in CI or production.
# The advisory affects the `serve` API, which drizzle-kit does not invoke.
# Review: re-evaluate when drizzle-kit drops @esbuild-kit or publishes a fix.
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This .trivyignore header states that all entries must include a rationale and a review date, but the suppression block does not include an actual review date. Add a concrete date (e.g. Review: YYYY-MM-DD) so the suppression has a clear re-evaluation point and matches the documented policy.

Suggested change
# Review: re-evaluate when drizzle-kit drops @esbuild-kit or publishes a fix.
# Review: 2026-01-15 — re-evaluate when drizzle-kit drops @esbuild-kit or publishes a fix.

Copilot uses AI. Check for mistakes.
GHSA-67mh-4wv8-2f99
2 changes: 2 additions & 0 deletions backend/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,7 @@ RUN dotnet publish src/ShockStack.Api -c Release -o /out
FROM mcr.microsoft.com/dotnet/aspnet:10.0-preview AS production
WORKDIR /app
COPY --from=build /out .
RUN addgroup --gid 1001 --system appgroup && adduser --uid 1001 --system --ingroup appgroup appuser && chown -R appuser:appgroup /app
Comment on lines 11 to +12
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This stage copies files as root, then fixes ownership with chown -R. To reduce layers and build time, consider creating the user/group first and using COPY --chown=1001:1001 --from=build /out . (or equivalent) so you don’t need a recursive chown step.

Suggested change
COPY --from=build /out .
RUN addgroup --gid 1001 --system appgroup && adduser --uid 1001 --system --ingroup appgroup appuser && chown -R appuser:appgroup /app
RUN addgroup --gid 1001 --system appgroup && adduser --uid 1001 --system --ingroup appgroup appuser
COPY --chown=1001:1001 --from=build /out .

Copilot uses AI. Check for mistakes.
USER appuser
EXPOSE 8080
Comment on lines +12 to 14
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says numeric UIDs are used for portability, but the container switches with USER appuser (name-based). If numeric is important for runtime environments/scanners, prefer USER 1001:1001 here (or adjust the PR description to match the implementation).

Copilot uses AI. Check for mistakes.
ENTRYPOINT ["dotnet", "ShockStack.Api.dll"]
3 changes: 3 additions & 0 deletions docker/frontend.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ RUN pnpm --filter @shockstack/tokens build
RUN pnpm --filter frontend build

FROM base AS production
RUN addgroup -g 1001 -S appgroup && adduser -u 1001 -S appuser -G appgroup
COPY --from=build /app/frontend/dist /app/dist
COPY --from=build /app/frontend/package.json /app/
RUN chown -R appuser:appgroup /app
Comment on lines 24 to +26
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RUN chown -R ... /app adds an extra layer and can be slow on larger build contexts. You can avoid the recursive chown by using COPY --chown=appuser:appgroup ... for the two COPY instructions (after creating the user), which is typically faster and produces smaller images.

Suggested change
COPY --from=build /app/frontend/dist /app/dist
COPY --from=build /app/frontend/package.json /app/
RUN chown -R appuser:appgroup /app
COPY --from=build --chown=appuser:appgroup /app/frontend/dist /app/dist
COPY --from=build --chown=appuser:appgroup /app/frontend/package.json /app/

Copilot uses AI. Check for mistakes.
USER appuser
EXPOSE 4321
CMD ["node", "./dist/server/entry.mjs"]
Comment on lines +27 to 29
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description mentions numeric UIDs for portability, but the image uses USER appuser (name-based). If numeric UID usage is required for the security policy/scanner, switch to USER 1001:1001 (or update the PR description if name-based is intended).

Copilot uses AI. Check for mistakes.
9 changes: 9 additions & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,15 @@
"node": ">=22"
},
"pnpm": {
"overrides": {
"yaml": ">=2.8.3",
"vite": ">=7.3.2 <8",
"smol-toml": ">=1.6.1",
"picomatch": ">=4.0.4",
"h3": ">=1.15.9 <2",
"devalue": ">=5.6.4",
"defu": ">=6.1.5"
Comment on lines +61 to +67
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new pnpm.overrides entries use open-ended >= ranges (e.g. yaml, smol-toml, picomatch, devalue, defu). This can allow future major-version upgrades during install, which can introduce breaking changes unexpectedly. Consider pinning to the patched version or adding an explicit upper bound (e.g. <next-major) for each override to keep installs deterministic and reduce risk.

Suggested change
"yaml": ">=2.8.3",
"vite": ">=7.3.2 <8",
"smol-toml": ">=1.6.1",
"picomatch": ">=4.0.4",
"h3": ">=1.15.9 <2",
"devalue": ">=5.6.4",
"defu": ">=6.1.5"
"yaml": ">=2.8.3 <3",
"vite": ">=7.3.2 <8",
"smol-toml": ">=1.6.1 <2",
"picomatch": ">=4.0.4 <5",
"h3": ">=1.15.9 <2",
"devalue": ">=5.6.4 <6",
"defu": ">=6.1.5 <7"

Copilot uses AI. Check for mistakes.
},
"ignoredBuiltDependencies": [
"@bundled-es-modules/glob",
"esbuild",
Expand Down
56 changes: 26 additions & 30 deletions pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading